Hackers attacked the web site of smartphone manufacturer OnePlus and compromised credit card information of up to 40,000 customers, the Shenzhen, China-based company has confirmed.

In a January 19 forum post, OnePlus reveals a malicious script was injected into its payment page code after hackers successfully penetrated one of its systems. The script ran intermittently but could sniff out credit card information as it was entered.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” the company says.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”

The phone maker reveals that oneplus.net had been under attack for an extended period – from mid-November 2017 to January 11, 2018. Credit card information (including card numbers, expiry dates and security codes) entered at oneplus.net during this time “may be compromised,” the company says.

Customers shopping with a “saved” credit card (i.e. who didn’t have to enter the information manually) should not be affected. The same applies to users who paid with “credit card via PayPal,” and users who paid with PayPal itself.

The threat has since been eliminated, and OnePlus has quarantined the infected server. The company is working with payment providers and local authorities to better understand how hackers infiltrated its systems. As it conducts its audit, OnePlus is also implementing “a more secure” credit card payment method.

In the meantime, customers who received OnePlus’s email about the hack are instructed to check their card statements and report any suspicious activity to their bank. Users who happen upon “potential system vulnerabilities” on the oneplus.net website are urged to report them to security@oneplus.net.